ID: 41970 Updated by: [EMAIL PROTECTED] Reported By: php at hristov dot com -Status: Assigned +Status: Closed Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 6CVS-2007-07-11 (CVS) Assigned To: helly New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2007-07-11 21:38:26] [EMAIL PROTECTED] Marcus, please take a look at it. A patch like this: http://dev.daylessday.org/diff/bug41970.diff fixes it for me, similar patches should be applied to other call_user*() funcs of course. Though I would really like to see a cleaner solution for it. Can you think of any? ------------------------------------------------------------------------ [2007-07-11 21:12:57] php at hristov dot com Description: ------------ Try the example with HEAD (5_2 seems immune) The example exploits that sort() needs its parameter to be passed by reference, which we don't do. zend_call_function() will bail out on this, and return FAILURE when called from call_user_func_array(). The first instruction of zend_call_function() is *fci->retval_ptr_ptr = NULL; with this we lose the original pointer and leak when zend_call_function() returns with FAILURE. In this case in call_user_func_array() new memory for return_value is allocated, which later is destructed. [23:55:29] [EMAIL PROTECTED]:~/dev/php6> ./php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);' array(3) { [0]=> int(4) [1]=> int(3) [2]=> int(2) } [Wed Jul 11 23:55:32 2007] Script: '-' /home/andrey/dev/php6/Zend/zend_vm_execute.h(191) : Freeing 0x40D4C400 (16 bytes), script=- === Total 1 memory leaks detected === Reproduce code: --------------- php -r '$a=array(4,3,2);call_user_func_array("sort", array($a));var_dump($a);' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41970&edit=1
